It is not easy to do so, self-service runs on same port as security console, and we have no out-of-the-box option to disable internal self-service and keep web tier functional. All self-service settings in the security console for customization apply to web tier and self-service at the same time. You could use ACL's or similar on the network [externally from the RSA server] to block all access to port 7004 except for admins using specific IP's.

It is not easy to do so, self-service runs on same port as security console, and we have no out-of-the-box option to disable internal self-service and keep web tier functional. All self-service settings in the security console for customization apply to web tier and self-service at the same time. You could use ACL's or similar on the network [externally from the RSA server] to block all access to port 7004 except for admins using specific IP's.